On June 22, 2012, Senator Pat Toomey introduced the Data Security and Breach Notification Act of 2012 (the "Act") [i] on behalf of himself and Republican Senators Olympia Snowe (Me.), Jim DeMint (S.C.), Roy Blunt (Mo.) and Dean Heller (Nev.). The Act, if enacted, would establish a national data security and breach notification standard for the protection of consumers' electronic personal information by commercial entities covered by the Act.[ii]

The Act would apply to "Covered Entities," which are defined broadly to include all sole proprietorships, partnerships, corporations, trusts, estates, cooperatives, associations or any other commercial entities that acquire, maintain, store or utilize "Personal Information." [iii] Financial institutions subject to the Gramm-Leach-Bliley Act and entities regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are excluded from the definition of Covered Entities and would thus not be subject to the Act.[iv]

The Act requires Covered Entities to take reasonable measures to protect and secure electronic data containing "Personal Information," defined as an individual's first name or first initial, and last name in combination with one or more of the following: (1) a social security number, (2) a government issued identification number (such as a driver's license, passport or military identification), or (3) a financial account number, credit card number, or debit card number with the necessary security code or password.[v] Personal Information does not include information that is in the public record or information that is encrypted, redacted or secured by any other means that render the data elements "unusable."[vi] The Act does not, however, define what constitutes reasonable measures of protecting and securing Personal Information. This more flexible and business-friendly standard is a departure from recent proposed federal legislation, discussed in our previous postings, as well as from data security laws in effect in states such as Massachusetts that include specific requirements for the protection of personal information and notification in the event of a data security breach.[vii]

In the event of a data security breach, the Act would require Covered Entities that own or license electronic data containing affected Personal Information to give notice to individuals only if the Covered Entity believes or reasonably believes that (1) the individuals' Personal Information was accessed or acquired by an unauthorized person and (2) such breach has or would cause identity theft or financial harm.[viii] The Covered Entity must give notice as expeditiously as practicable, consistent with any measures necessary to determine the scope of the breach and restore the "reasonable integrity" of the data system that was breached.[ix] If the Covered Entity reasonably believes that a breach involves the information of more than 10,000 individuals, the Covered Entity would also be required to notify the FBI or the Secret Service.[x] The Act permits Covered Entities to provide notice to affected individuals by mail, e-mail or telephone and provides for substitute notification on the Covered Entity's website or in print and broadcast media, where individual notification would not be feasible due to excessive costs or a lack of individual contact information.[xi] The Act would require that the notice include, to the extent practicable, the date of the breach, a description of the information reasonably believed to have been accessed and acquired, and information that would enable the individual to contact the Covered Entity.[xii]

In the event of a breach of security of a system maintained by a third-party entity that has been contracted to maintain, store or process Personal Information on behalf of a Covered Entity, the third-party entity must notify the Covered Entity of the breach of security.[xiii] Upon receiving notice, the Covered Entity must provide notice to individuals affected in accordance with the provisions described above.[xiv]

The Act, if passed, would provide no private right of action for consumers to sue Covered Entities.xv Rather, the Federal Trade Commission (the "Commission") would be tasked with enforcing the Act, pursuant to its authority under the Federal Trade Commission Act[xvi] to prosecute unfair and deceptive trade practices.[xvii] The Act would authorize the Commission to impose fines on Covered Entities that fail to reasonably protect Personal Information or fail to provide reasonably expeditious notice to affected individuals. A Covered Entity could be liable for up to $500,000 for all violations resulting from the same act or omission that constitutes a failure to reasonably protect Personal Information under the Act.[xviii] In addition, the Covered Entity could also be liable for $500,000 for each single data security breach where the Covered Entity fails to comply with the Act's breach notification requirements.[xix]

If passed, this Act would create a single data security and breach notification standard for all Covered Entities throughout the United States. The Act would explicitly pre-empt existing state data security breach notification and data protection laws, irrespective of whether the state laws are more or less protective of personal information.[xx] Companies such as AT&T[xxi] and CTIA[xxii] have come out in support of this proposed legislation, as a consistent approach to regulating data security in the United States.

Consumer data protection continues to be an active topic in Congress. Although it is proving challenging for Congress to pass a federal data privacy bill, companies should stay abreast of proposals and continue to develop and refine their privacy and data protection practices to anticipate changes in their compliance obligations in the future.